We all work in the internet security industry, and as such we're involved with a wide range of technologies, markets and people. Our collective blog is a space for our insights, observations and interests...

(N.B. The opinions expressed here are those of the individual authors, and not those of Smoothwall ltd or Smoothwall inc.)

Monday, March 25, 2013

Traditional
malware is relatively easy to spot - well, ok, I am sure most security
vendors would disagree, but it is. Compared to mobile malware - I did
say “relatively”, didn’t I?

Why
is mobile malware so different to regular “desktop” malware? Well, for
a start, there’s the environment. Even on our most lightweight laptops,
we’re willing to leave an antivirus running 100% of the time. Sure
we’ll bitch and moan about it slowing the whole show down from time to
time (usually poor software, or underwhelming tin... but still...) , but
in the end, it stays. On our ‘phones however, small is king (don’t get
me started on “phablets”, if I wanted to walk around with a plasma telly
in my pocket i’d shoplift at dixon’s). Small devices mean small
batteries, and we generally can’t afford to keep cpu chewers around
“unnecessarily”. This means that anti-malware often takes a back seat:
most users won’t run it.

Second
up, there’s the homogeneity of the devices. Android often gets slated
for a “fragmented platform”, but if you’re looking to have the same
fundamental attack vectors, mobile is a great place to be. This was a
criticism levelled at the Microsoft environment 5 years ago, but while
Windows is still highly popular, the software stack is much more varied -
Outlook is no longer de-facto, and nor is IE. iOS is going to give you
even more of a predictable basis for attack, so as a malware author,
it’s a great place to be. Our user has less control of the OS too,
coming behind the vendor and the network in the pecking order - often a
good thing, less rope to hang one’s self, but it means any AV has less
foothold in the OS, and makes it hard for the user to spot “interesting”
issues: the diagnostic tools aren’t readily available.

Finally,
we come to the killer feature - the ability to make calls. If I “own”
(or pwn, if you’re 17) your PC, you’re going to make me work to turn a
profit: I can sell it, but for peanuts, I need 1000s. You probably don’t
have your bank details in a text file on the desktop (do you? If so,
please send your IP address on a postcard...), or at least I can’t rely
on it. Your phone, however has the ability to spend money on your behalf
right out of the box by placing calls to premium numbers, or signing up
to text services. Even the appstore is more likely to be an easy place
to slyly spend your coin than anything I can find on your PC.

So
- before this post becomes “TL;DR”, i’ll leave you with a few tips on
how to avoid getting your phone hacked (russian mafia style hack, rather
than lazy journalist style hack)...

Rule
Zero: The fundamental rule of safety - if it looks too good to be true,
that’s because it is. If an app is normally 70p, and there’s a free
copy offered: pony up, you tightwad. Best case, the free/cheap one’s ad
supported, worst case, it’s worse. If an app offers you something for
nothing that you know normally costs money, well, you’re paying
somewhere. See also: Free lunch, existence or otherwise thereof.

Rule
One: Check the permissions. Both iOS and Android apps will state what
the app is allowed to do. Be especially cautious with things that could
cost you money. Sadly, most things need network capability for something
or other, so that’s not really a good red flag, but think: does this
app need this permission? Why?

Rule
Two: Follow the crowd. Wildebeest know there’s safety in numbers, and
you should too. If an app has many users it is more likely to be kosher,
but if an app is brand new to the app store and has very few downloads,
tread carefully - especially if it looks like a mature app. Check the
reviews while you’re at it.

Tuesday, March 19, 2013

I bet there's a keyboard within two feet of you right now, be it mechanical, or virtual.
You'll probably use at least three different keyboards today, which for me at least makes the keyboard more ubiquitous than the teacup.

In one guise or another, the idea of pressing buttons to produce one character at a time has been with us since 1714 and has evolved considerably in that period.
So it's been with us for a while, but personally I think the keyboard's days are well and truly numbered.

Don't get me wrong, the day you have to go to a specialist shop for an antique piece of 'typing aparatus' aren't upon us yet, but I think soon it will be possible for even the most hardened technophile to get through the average day without typing a letter.

We're halfway there already. Between Google Now and Siri, you don't really have to touch your smartphone any more to bend it's powers to your will, though there are still limitations. Touchscreens are making a valiant effort to kill the mouse and even the humble Ford Focus comes with voice control (dubbed SYNC).

In the office, things like the Leap Motion and Space Top are promising to revolutionise the way we think of the 'desktop', stripping out the middlemen of the mouse and keyboard and freeing your hands to be the expressive and dexterous tools that they were meant to be.

Couple these concepts together in a package like Google Glass or the Oculus Rift you end up with a picture more advanced than Star Trek, with people searching for, creating and sharing information without ever pushing a button. It's a fascinating technological landscape that has sweeping implications for Smoothwall and our ilk.